Skip to main content
banner image
venafi logo

Major Web Browsers Will Be Dropping TLS 1.0 and 1.1 Support Soon

Major Web Browsers Will Be Dropping TLS 1.0 and 1.1 Support Soon

browsers drop TLS 1.0 TLS 1.1
October 31, 2018 | Guest Blogger: Kim Crawley

One of the most important ways to keep your data well encrypted is to periodically replace older encryption standards with newer encryption standards. Pretty much every cipher and cryptographic implementation is at its most secure when it starts deployment and gets progressively less secure over time. The processing power of computing clusters for cipher cracking get more powerful. Security researchers and cyber attackers alike discover implementation vulnerabilities and they become public knowledge. Cracking tools and scripts for both cyber attackers and security testers become more numerous and effective. Everyone who works with cryptography knows that every cipher and implementation has a “best before date,” it’s just a matter of whether that date is months from now or years from now.

Twenty years is a very long time for a cryptographic implementation. TLS 1.0 will be twenty years old soon because it was first deployed in January 1999. According to Payment Card Industry (PCI), TLS 1.0’s “best before date” was June 30th, 2018. Now any ecommerce site or brick-and-mortar retailer which uses TLS 1.0 to encrypt credit card transactions will fail PCI compliance. PCI will not support TLS 1.0 use and retailers have to use TLS 1.1, 1.2, or 1.3 in order to accept credit card payments. 

According to Microsoft, Apple, Google, and Mozilla, TLS 1.0’s “best before date” is March 2020. Microsoft Edge, Safari, Chrome, and Firefox will no longer support TLS 1.0 soon and users of those web browsers will be notified that they cannot use it if they try to start an HTTPs session which uses the deprecated TLS version. 

TLS 1.1 was released in April 2006. It only had minor improvements from TLS 1.0, including some security measures against cipher-block chaining attacks. Well Microsoft, Apple, Google, and Mozilla will no longer support TLS 1.1 in their web browsers as of March 2020 either. 

Martin Thomson wrote for Mozilla’s blog

“In March of 2020, Firefox will disable support for TLS 1.0 and TLS 1.1. 

On the Internet, 20 years is an eternity.  TLS 1.0 will be 20 years old in January 2019.  In that time, TLS has protected billions – and probably trillions – of connections from eavesdropping and attack. 

In that time, we have collectively learned a lot about what it takes to design and build a security protocol. 

Though we are not aware of specific problems with TLS 1.0 that require immediate action, several aspects of the design are neither as strong or as robust as we would like given the nature of the Internet today.  Most importantly, TLS 1.0 does not support modern cryptographic algorithms. 

The Internet Engineering Task Force (IETF) no longer recommends the use of older TLS versions.  A draft document describes the technical reasons in more detail. 

We will disable TLS 1.1 at the same time.  TLS 1.1 only addresses a limitation of TLS 1.0 that can be addressed in other ways. Our telemetry shows that only 0.1% of connections use TLS 1.1.” 

According to Mozilla, 93.12% of TLS sessions in August and September 2018 (using Firefox Beta 62) were with TLS 1.2, and 5.68% of TLS sessions used TLS 1.3. TLS 1.3 is pretty new. It launched in August 2018. 

The major web browser developers have announced that they will drop TLS 1.0 and TLS 1.1 nearly a year and a half in advance in order to give webhosting companies and cloud services providers plenty of time to phase the old versions of TLS out. 

Replacing older versions of TLS with newer versions takes a lot of work. Web servers will need to be replaced or updated. Certificates and PKI systems will have to adapt. When major changes like upgrading TLS are deployed, they also must be thoroughly tested. So updating to TLS 1.2 or TLS 1.3 absolutely cannot be done overnight. 

You have been warned, so the time to start working on the TLS upgrade to your web services is now. 

Related posts

Like this blog? We think you will love this.
wildcard certificates
Featured Blog

Wildcard Certificates Make Encryption Easier, But Less Secure

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley

Kim Crawley writes about all areas of cybersecurity, with a particular interest in malware and social engineering. In addition to Venafi, she also contributes to Tripwire, AlienVault, and Cylance’s blogs. She has previously worked for Sophos and Infosecurity Magazine.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more